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SYSTEM FOR PROVIDING DYNAMIC DATA INFORMED CONSENT 

TO PROVIDE DATA PRIVACY AND SECURITY 
IN DATABASE SYSTEMS AND IN NETWORKED COMMUNICATIONS 

Field of the Invention 

This system relates to the fields of database management systems and 
networked electronic communications and, in particular, to a system for managing the 
authorization of parties to access data contained in databases and transmitted in a 
networked environment. 

Problem 

It is a problem in the field of modern electronic data interchange among parties 
operating in networked environments (especially using the open medium of the 
Internet) and using large databases to ensure the privacy of personalized data that 
is stored and exchanged among parties unrelated to the owner (subject) of the 
information. In many database management systems, there are a number of classes 
of users who require access to data stored in the database system, but these classes 
of users should have authorization to access only a predefined portion of the data 
contained therein. Furthermore, there is a need for non-uniformity of access that may 
be authorized across a particular class of users. The consumer whose data is stored 
in the database should have the capability to selectively authorize specific users in 
a class to access the consumer's data. Likewise, the consumer should have the 
ability to authorize the conditions under which the consumer's personal data is 
exchanged among third parties. Existing database management systems fail to 
provide a consumer who has data stored in the database system the ability to 
participate in the management of the authorization of parties to access the consumer's 
data contained in the database, or to grant transaction authorization among parties 
using the consumer's data. The typical data access management paradigm is to 
require the consumer to provide blanket data access and transaction authorization to 
broad classes of users, without the consumer having the ability to define the 
authorization to a finer degree of granularity, or being able to revoke authorization to 
access the consumer's data in a simple manner. 

In the more general field of consumer personal data, public concerns are 
escalating over the management of consumer personal information, such as 
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individualized health care information, and especially information stored in electronic 
format. The issue has reached a level of significance such that U.S. Congress has 
moved to address these concerns, spurred by numerous consumer rights and privacy 
groups. As an example of the response to these concerns, Section 264 of the Health 
5 Insurance Portability and Accountability Act of 1996 (HIPAA) required that the 
Secretary of Health and Human Services issue recommendations to Congress 
regarding regulatory protection of privacy, confidentiality and consumer access to 
individually identifiable health information. However, there is presently no viable 
technology-based system for satisfying these above-listed needs in the field of health 

10 information or any other field that uses consumer personal data. 

For those engaged in healthcare operations - payers, providers and care plans 
- the need to comply with the aforementioned Health and Human Services regulations 
imposes significant new burdens of expense and liability relative to the management 
of health care information. The proposed regulations force health care businesses 

1 5 that transact, hold or distribute personalized health care data for treatment, payment, 
research, or other purposes to each obtain the consent of each consumer (patient) 
who may be the subject of such data. The consent must be informed - i.e., the 
consumer must know what information is to be used, for what purposes, with whom 
it is to be shared, etc. Furthermore, each health care business must manage the 

20 consumer's informed consent to comply with the wishes of the consumer regarding 
disclosure of the data. Each health care business must maintain a log and an audit 
trail of disclosures, with the log containing time and date stamp data, assuring that the 
disclosure is authorized, that the purpose for which the data is disclosed is authorized, 
and that the minimum data set to serve the intended purpose is disclosed. The audit 

25 trail must be maintained for the life of the record and must be made available to the 
consumer on request. Failure of the business to manage consumer personalized 
health care data as described in the proposed regulations subjects the business to 
official sanctions and penalties, and to liability and legal action for redress. 

Attempts by health care businesses to meet privacy, confidentiality and 

30 consumer access statutes and regulations require significant development and 
administrative expenses, and entail risk and attendant liability. However, regardless 
of the extent to which any health care business unilaterally attempts compliance, there 
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is no certainty of such compliance. The reason is that the nature of the proposed 
regulations requires that the transactions involving health care data be in compliance. 
Therefore, in most cases (billing, exchange of clinical data, etc.) transactions involve 
two independent businesses. One business may be compliant, the other, not 
compliant, thus creating transaction non-compliance for both businesses. Even within 
a large organization, it may not be appropriate that certain workers have access to 
consumer files, thus creating a violation unless a suitable privacy mechanism is in 
place. 

The regulations for mandated consumer control of the flow of personal health 
care data are expected to be propagated into other sectors of industry that currently 
manage, store and distribute consumer personal information. Thus, the issues faced 
by the health care industry are expected to be the same issues faced in other 
industries that gather, store, and provide access to consumer personal information - 
such as the banking, credit, legal, retail sales and accounting fields. 

There are six recognized conditions of privacy that any technology-based 
system must accommodate: 

Notice - The individual has the right to know that there is the possibility of 

collection of personally identifiable data (Pll). 

Choice - The individual has the right to choose not to have the data collected. 
Use - The individual has the right to know how data is expected to be used and 
to restrict its use. 

Security - The individual has the right to know the extent to which the data is 
protected. 

Correction - The individual has the right to challenge the accuracy of the data 
and to provide corrected information. 

Enforcement - The individual has the right to seek legal relief through 
appropriate channels to protect privacy rights. 

A technology-based solution to ensure privacy and confidentiality for 
individually identifiable electronic information must take into account ail six conditions, 
and thereby must reveal the conditions upon which disclosure is authorized and allow 
for changes in authorization over time, hence the concept of dynamic data informed 
consent. 
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Solution 

The above described problems are solved and a technical advance achieved 
by the present system for providing dynamic data informed consent which enables 
consumers to govern the flow of their personal data regardless of the nature of the 
5 information. The goal of the Dynamic Data Informed Consent system is to create a 
mechanism by which Data Informed Consent obtained from a consumer can govern 
a transaction environment for the exchange of consumer (e.g. health care, financial, 
and the like) information by and among client organizations (e.g. health care 
businesses, banks and credit bureaus, and the like). The further objective of the 

1 0 Dynamic Data Informed Consent system is to provide the data access transaction 
environment (including Data Informed Consent) in its entirely, in order to reduce its 
client businesses' development and administrative costs, and to assure compliance 
with legal requirements for data exchange re: privacy and confidentiality. 

Various means of securing the data are available, such as symmetric and 

15 asymmetric encryption key systems and protected lists. Various means of 
authentication of users are available, including digital signatures, passwords, 
biometrics and smart cards. In the present embodiment, the security of data is 
addressed through the means of a public key infrastructure and digital /certificate 
issuance to authorized and authenticated users. Each transaction participant consists 

20 of a client company that holds a general Digital Certificate to authenticate that 
company, as well as sub-Digital Certificates for various classes of authorized workers 
employed by that company. Each Digital Certificate bears a unique identifier to 
ensure that it can be tracked. (Other means of authentication, such as smart cards 
or biometric reading devices, may also be used for authentication of authorized 

25 parties.) Each Digital Certificate issued to client companies is accompanied by a set 4 
of requirements governing its use that are designed for compliance with regulations 
and the data access limitations defined by the consumer. Each client company 
specifically attests to its compliance with those stipulations. Each consumer is 
authenticated and issued a Digital Certificate or other means of authentication to use 

30 in the generation of a Dynamic Data Informed Consent and for use in the event of 
electronic changes to the Data Informed Consent in the course of the Dynamic Data 
Informed Consent system's service as agent for the consumer. Thus, the consumer 
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can define a set of data access rules which designate the client companies, and 
classes of employees within those companies, who have access to the consumer's 
personal data (termed "proprietary consumer specific data" herein) and the particular 
segments of that proprietary consumer specific data to which each client company is 
entitled. The Data Informed Consent is dynamic in that the consumer can use their 
Digital Certificate (or other authenticated means) at any time to access and modify 
their Data Informed Consent provided to the Dynamic Data Informed Consent system. 

The medium for data transmission among the parties served by the Dynamic 
Data Informed Consent system is any electronic data communication system, such as: 
the Internet, Intranet, Virtual Private Network (VPN), Wide Area Network, Public 
Telephone Switched Network (PTSN), and the like. The data transmitted by 
transacting parties need never be seen, except for the minimum data necessary to 
assure identity of the subject, nor held by the Dynamic Data Informed Consent 
system. The Dynamic Data Informed Consent system acts as a compliance 
clearinghouse for the data flow (i.e., as traffic cop, not as custodian). In providing 
compliance assurance, the Dynamic Data Informed Consent system maintains for 
each Data informed Consent a log of users, category of proprietary consumer specific 
data, purpose for which the proprietary consumer specific data is used, which log is 
time and date stamped. The Dynamic Data Informed Consent System maintains the 
audit trail of all uses of proprietary consumer specific data, together with audit 
analysis software to determine if any breach of the System's authorization structure 
occurs. The components of the Dynamic Data Informed Consent system by which 
dynamic Data Informed Consent modulates a security structure for the transmission 
and exchange of personal electronic data include: 

A public key infrastructure (PKI) that provides robust encryption of all 
proprietary consumer specific data routed through the Dynamic Data Informed 
Consent system. Encryption modalities other than PKI may be employed to 
implement this function. 

Digital certificates to provide ongoing authentication of approved parties, 
and associated constraints on use and attestations provided by the parties to 
whom they are issued. Other means of authentication such as passwords, 
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biometrics and smart cards may be used to implement this function. 

A data center and service center managed by a controlling entity to 
manage both the issuance of digital certificates to participants (client 
companies and consumers), and the management of Data Informed Consent. 

The Data Informed Consent module and methods of management as a 
governor of the transaction environment. The Data Informed Consent module 
consists of a rules-driven (inference engine-driven) database management 
system (DBMS) with lookup tables corresponding with the authorizations, or 
revocations thereof, placed by each consumer executing Data Informed 
Consent. 

The Data Informed Consent module itself consists of the following essential elements: 
A cross-platform compatible, scalable data base management system 

(DBMS) such as Oracle or Sybase. 

A graphic user interface to allow consumer interaction with the Dynamic 

Data Informed Consent system. 

A forms-driven component for the consumer to understand their legal 

rights and to modify authorizations for various consumer-specified entities to 

hold, access and transact with (disclose) the consumer's proprietary consumer 

specific data. 

A component to enable the consumer to change the level of 
authorization to and among authorized parties. 

A component to enable the consumer to segmental ize 
(compartmentalize) proprietary consumer specific data. 

Look-up tables with reference to individual consumers that list 
authorizations and similar tables that consist of revocations of authorizations. 

A component to log all instances of authorized use of proprietary 
consumer specific data and unauthorized attempts to use proprietary consumer 
specific data. 

A component to audit and analyze the logs that catalogue authorized 
and attempts at unauthorized use of proprietary consumer specific data. 

Software interface with PKI or another data security platform, such that 
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consumer identifiers are accessed and checked against authorization and 
authorization revocation lists. 

Thus, the Dynamic Data Informed Consent system enables consumers to 
govern the flow of their proprietary consumer specific data regardless of the nature 
5 of the information. The consumer can define a set of data access rules which 
designate the client companies who have access to the consumer's proprietary 
consumer specific data and the particular segments of that proprietary consumer 
specific data to which each client company is entitled. The Data Informed Consent 
is dynamic in that the consumer can use their Digital Certificate at any time to access 
10 and modify their Data Informed Consent provided to the Dynamic Data Informed 
Consent system. 

Brief Description of the Drawing 

Figure 1 illustrates in block diagram form the overall architecture of the 
Dynamic Data Informed Consent system and a typical environment in which it is 
15 operational; 

Figure 2 illustrates additional details of the Dynamic Data Informed Consent 
system and provides an indication of a typical data flow therein; 

Figures 3 and 4 illustrate in flow diagram form the operation of the Dynamic 
Data Informed Consent system of Figure 2 in processing a typical transaction; 
20 Figure 5 illustrates in block diagram form the structure of the Dynamic Data 

Informed Consent Domain; 

Figure 6 illustrates the communication pathways that are used in the 
processing of an institution query to an information management system IMS, using 
the Dynamic Data Informed Consent system as an authorizing agency to enable the 
25 institution to access a consumer's proprietary consumer specific data; and 

Figure 7 illustrates in flow diagram form the operation of this information 
management system IMS, using the Dynamic Data Informed Consent system as an 
authorizing agency to enable the institution to access a consumer's proprietary 
consumer specific data. 
30 Detailed Description 

The Dynamic Data Informed Consent system enables consumers to govern the 
flow of their proprietary consumer specific data regardless of the nature of the 
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proprietary consumer specific data. The goal of the Dynamic Data Informed Consent 
system is to create a mechanism by which Data Informed Consent can govern a 
transaction environment for the exchange of consumer (e.g. health care, financial, and 
the like) information by and among client organizations (e.g. health care businesses, 
5 financial institutions, and the like). The further objective of the Dynamic Data 
Informed Consent system is to provide the transaction environment (including Data 
Informed Consent) in its entirely, in order to reduce its client businesses' development 
and administrative costs, and to assure compliance with legal requirements for 
exchange of proprietary consumer specific data re: privacy and confidentiality. 

10 Figure 1 shows in block diagram form the overall architecture of the Dynamic 

Data Informed Consent system 101 and a typical environment in which it is 
operational. The Dynamic Data Informed Consent system 101 is interconnected via 
a data transmission medium 102 (such as the Public Telephone Switched Network) 
to a consumer's terminal device 104, such as a personal computer, and via a data 

1 5 transmission medium 1 03 (such as the Internet) to a client's terminal device 1 05, such 
as a personal computer. The Dynamic Data Informed Consent system 101 itself 
comprises an interface element 111, such as a WEB server, to interconnect the 
Dynamic Data Informed Consent system 101 with the respective data transmission 
medium 1 02, 1 03, thereby enabling both the consumer and clients to interconnect with 

20 the Dynamic Data Informed Consent system 101. The Dynamic Data Informed 
Consent system 101 also includes a Data Informed Consent domain module 1,12 as 
is described in additional detail below. The Dynamic Data Informed Consent system 
101 can optionally include a data storage manager 113 and its associated data 
storage devices 114, 115 which store the proprietary consumer specific data, or, 

25 alternatively, the proprietary consumer specific data can be stored in whole or in part . 
in one or more external data storage system(s) 1 06. The external data storage 
system 1 06 includes a data storage manager 121 , administrator interface terminal 122 
and its associated data storage devices 123, 124, which stores the proprietary 
consumer specific data. The Dynamic Data Informed Consent system 101 functions 

30 to provide a data access transaction environment for proprietary consumer specific 
data, including but not limited to the typical steps of: receiving requests for proprietary 
consumer specific data from clients, authentication of clients, maintaining security of 

-8- 
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the proprietary consumer specific data, issuance of digital certificates to authorized 
and authenticated users to enable clients to access the proprietary consumer specific 
data, under the terms and conditions specified by the consumer. 
Definitions: 

Confidentiality - This comprises a secret communication with another party 
(trusted other). The confidential exchange of information implies that the information 
is exchanged or shared with the trusted other who is trusted to keep the information 
secret, i.e. the trusted other will not disclose the information to others. 

Privacy - This comprises the state of being free from unsanctioned intrusion. 
Privacy is often confused with security. Security implies safety from intrusion, while 
privacy invokes the ability of a person to avoid intrusion unless that person authorizes 
the intrusion. 

Security - This comprises the level to which data is safe from unauthorized use. 
Security requires mechanisms which protect the data from unauthorized use. The 
dynamic process of authorization or revocation of authorization via operation of a 
security mechanism is the exercise of privacy. 

Data Informed Consent - The process by which a consumer is informed about 
their rights under the law, and the responsibilities of parties who use their 
personalized information ("General Advisory"), as well as the manner in which their 
data is used, managed and protected ("Specific Advisory"). This process provides for 
interactive consumer control of disclosure authorization and the revocation thereof 
("Dynamic Consent"). In other words Data Informed Consent dictates what client 
companies can do with the consumer's data - hence a two-way interaction: The 
present system informs the consumer of the various options; consumers consent to 
client companies accessing their data via the present system pursuant to the 
parameters specified by the consumer. 
Health Care Example 

The description that follows pertains to the current challenge of managing 
security and privacy for health care information. While the example is focused on the 
use of electronic apparatus to implement the data storage, data exchange, data 
security, and privacy components of the Dynamic Data Informed Consent system, it 
is expected that portions of this Dynamic Data Informed Consent system may entail 
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the use of traditional paper-based forms and processes. The present example is used 
due to its pertinence to the present needs of the health care industry and is intended 
to be illustrative of the concepts embodied in the Dynamic Data Informed Consent 
system and is not intended to limit the scope of the Dynamic Data Informed Consent 
5 system as embodied in the claims appended hereto. The concepts illustrated herein 
are directly applicable to numerous other Dynamic Data Informed Consent 
applications, including but not limited to: banking, credit agencies, employment, 
education, taxing agencies, government and their regulatory agencies, and the like. 

1 0 For those engaged in healthcare operations - payers, providers and care plans 

-the need to comply with the aforementioned Health and Human Services regulations 
imposes significant new burdens of expense and liability relative to the management 
of health care information. The proposed regulations force health care businesses 
that transact, hold or distribute personalized health care data for treatment, payment, 

15 research, or other purposes to each obtain the consent of each consumer (patient) 
who may be the subject of such data. The consent must be informed - i.e., the 
consumer must know what information is to be used, for what purposes, with whom 
it is to be shared, etc. Furthermore, each health care business must manage the 
consumer's informed consent to comply with the wishes of the consumer regarding 

20 disclosure of the proprietary consumer specific data. Each health care business must 
maintain a log and an audit trail of disclosures, with the log containing time and date 
stamp data, assuring that the disclosure of the proprietary consumer specific data is 
authorized, that the purpose for which the proprietary consumer specific data is 
disclosed is authorized, and that the minimum data set to serve the intended purpose 

25 is disclosed. The audit trail must be maintained for the life of the record and must be 
made available to the consumer on request. Failure of the business to manage 
consumer personalized health care data as described in the regulations subjects the 
business to official sanctions and penalties, and to liability and legal action for 
redress. 

30 Dynamic Data Informed Consent 

The Dynamic Data Informed Consent system interactively manages the wishes 
of the consumer regarding all elements of disclosure of proprietary consumer specific 
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data (personalized electronic health care data). The management of Data Informed 
Consent pertaining to paper-based records is a manual administrative process 
designed to reflect the principles embodied in dynamic, electronic Data Informed 
Consent management system described herein. 

The general provisions that the Dynamic Data Informed Consent system must 
accommodate in deploying Data Informed Consent typically include the following: 

1. ) There is a duty not to use or disclose health information except as 
authorized by the consumer, or as explicitly permitted by legislation or regulations. 

2. ) Clients (providers or payers) are permitted to use the health information 
only for purposes compatible with and directly related to the purposes for which the 
information was collected or received, or for which they are authorized to disclose the 
information. 

3. ) Clients (providers or payers) are required to maintain reasonable and 
appropriate administrative, technical, and physical safeguards. 

a. ) The Dynamic Data Informed Consent system ensures the integrity and 
confidentiality of health information; and 

b. ) The Dynamic Data Informed Consent system protects against any 
reasonably anticipated threats or hazards to the security or integrity of the information 
and unauthorized uses or disclosures of the information. 

4. ) All uses and disclosures are restricted, to the extent practicable, to the 
minimum amount of information necessary to accomplish the purpose for which the 
information is used or disclosed. 

5. ) Clients (providers and payers) are required to prepare a written notice to 
inform patients of their information practices and of patients' rights regarding the 
health information. 

6. ) Patients are allowed to inspect and copy health information about them held 
by providers and payers (and by) public health authorities, and by oversight agencies 
in any situation in which an oversight agency has made an adverse decision about the 
rights, benefits, or privileges of the patient. 

7. ) Patients are permitted to seek correction or amendment of health 
information about them held by any entity obliged to permit patients to inspect health 
information about them. 
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8. ) Clients (providers and payers) are required to retain a history of all 
disclosures of health information made for treatment, payment, research, oversight, 
public health, emergencies, to State data systems, for law enforcement, in judicial 
proceedings, and with the authorization of the patient. The record includes the date 

5 and purpose of the disclosure; the name and address to whom the disclosure was 
made or the location to which the disclosure was made; and where practicable, a 
description of the information disclosed. Patients are permitted to see this record and 
the disclosure history is maintained for the life of the record to which it relates. 

9. ) Clients (providers and payers) are permitted to disclose information 
' 1 0 pursuant to the authorization of a patient under the following conditions: 

a. ) The authorization is in writing, is dated, and is signed or otherwise 
authenticated; 

b. ) The authorization states an expiration date, or event, and is received by that 
date or event; 

15 c.) The authorization specifies the information to be disclosed; 

d. ) The authorization specifies the entity or entities which are to disclose the 
information; 

e. ) The authorization specifies the person or persons or entity or entities to 
receive the information; 

20 f.) The authorization states that the patient has received a statement of the 

intended use of the information by the recipient; and 

g.) The authorization is not on the same form on which a patient consents to 
health care. 

10. ) Clients (providers and payers or other persons) who request a patient to 
25 authorize disclosure of health information are required to give the patient a copy of 

the authorization. 

1 1 . ) A consumer is permitted to revoke an authorization to disclose information 
except to the extent that action has been taken in reliance on the authorization. 

12. ) Entities disclosing information pursuant to an authorization are required 
30 to retain a copy of the authorization, and a record of the disclosure. 

13. ) A person who requests a consumer to authorize disclosure of health 
information is required to provide a statement for retention by the patient, not on the 
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same form as the authorization for treatment, specifying the purposes for which the 
information is sought and the uses and disclosures to be made of it. The use or 
disclosure of the health information inconsistent with the statement is the basis for a 
civil action for damages. 
5 Requirements of Data Informed Consent 

To convert the principles noted above into afunctional Data Informed Consent 
that, when combined with the stipulations of Digital Certificate issuance to client 
companies, creates a compliant transaction environment, requires that Data Informed 
Consent: 

10 1 .) Tell a consumer about their rights under the law, and the responsibilities of 

parties using their proprietary consumer specific data ("General Information"). 

2. ) Inform the consumer of the manner in which their proprietary consumer 
specific data is used, managed and protected ("Specific Information") by the parties 
using their proprietary consumer specific data. 

15 3. ) Provide for interactive consumer control for disclosure authorization and the 

revocation thereof ("Dynamic Consent"). 

In other words, Data Informed Consent articulates what the Dynamic Data 
Informed Consent system client companies will do (under the Dynamic Data Informed 
Consent system watchfulness), and does what the Dynamic Data Informed Consent 

20 system's consumers authorize be done with their proprietary consumer specific data - 
hence a two-way interaction: the Dynamic Data Informed Consent system informs; 
consumers consent. It is the consent side that involves the interactive programming 
and the functionality of Data Informed Consent to monitor and authorize the 
completion of health care data transactions by third parties that involve Data Informed 

25 Consent subject proprietary consumer specific data. 

Excerpting from the proposed Health and Human Services regulations, the 
following functional elements can be categorized as either achieving compliance 
through informing or achieving compliance via managing consent: 
1 .) Elements that proscribe a duty to inform include 1 - 5. 

30 2.) Elements that proscribe a duty to manage consent include 8-13. 

3. ) Elements that speak to access to records include 6-8. 

The Dynamic Data Informed Consent system intends to provide its consumer 
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customers with services that allow the Dynamic Data Informed Consent system to act 
as consumers' agent in gaining such access. The Data Informed Consent module 
application itself is both explanatory and interactive, taking into account the 
functionality dictated by the proposed regulations. 
5 Basic Components of the Dynamic Data Informed Consent System 

The components of the Dynamic Data Informed Consent system by which 
dynamic Data Informed Consent modulates a security structure for the transmission 
and exchange of personal electronic data include: 

A public key infrastructure (PKI) that provides robust encryption of all 
10 data routed through the Dynamic Data Informed Consent system. Encryption 

modalities other than PKI may be employed to implement this function. 

Digital certificates to provide ongoing authentication of approved parties, 
and associated constraints on use and attestations provided by the parties to 
whom they are issued. Other means of authentication such as passwords, 
15 biometrics and smart cards may be used to implement this function. 

A data center and service center managed by a controlling entity to 
manage both the issuance of digital certificates to participants (client 
companies and consumers), and the management of Data Informed Consent. 

20 The Data informed Consent module and methods of management as a 

governor of the transaction environment. The Data Informed Consent module 
consists of a rules-driven (inference engine-driven) database management 
system (DBMS) with lookup tables corresponding with the authorizations, or 
revocations thereof, placed by each consumer executing Data Informed 
25 Consent. 

The Data Informed Consent module itself consists of the following essential elements: 
A cross-platform compatible, scalable data base management system 
(DBMS) such as Oracle or Sybase. 

A graphic user interface to allow consumer interaction with the Dynamic 
30 Data Informed Consent system. 

A forms-driven mechanism for the consumer to understand their legal 
rights and to modify authorizations for various consumer-specified entities to 



-14- 



WO 01/33936 



PCT/US00/41623 



hold, access and transact with (disclose) the consumer's proprietary consumer 
specific data. 

A component to enable the consumer to change the level of 
authorization to and among authorized parties so as to enable the consumer 
to segmentalize (compartmentalize) proprietary consumer specific data. 

Look-up tables with reference to individual consumers that list 
authorizations and similar tables that consist of revocations of authorizations. 

A component to enable log all instances of authorized use of proprietary 
consumer specific data and unauthorized attempts to use proprietary consumer 
specific data. 

Software to audit and analyze the logs that catalogue authorized and 

attempts at unauthorized use of proprietary consumer specific data. 

Software interface with PKI or other data security platform such that 

consumer identifiers are accessed and checked against authorization and 

authorization revocation lists. 
Operation of the Dynamic Data Informed Consent System 

Figure 2 illustrates additional details of the Dynamic Data Informed Consent 
system 101 in conceptual block diagram form to illustrate the functionality of this 
system. The Dynamic Data Informed Consent system 101 is shown interconnected 
by a data communication medium 201 with a plurality of clients and consumers. In 
particular, a plurality of consumers can access the Dynamic Data Informed Consent 
system 1 01 via their data terminal devices 21 1 -21 3 to subscribe to the services of the 
Dynamic Data Informed Consent system 101, establish a data informed consent for 
storage therein and optionally to dynamically update the data informed consent. The 
clients represent various users, such as Information Management System (IMS2), who 
store proprietary consumer specific data for the consumers, as well as clients who 
request access to the stored proprietary consumer specific data. In the health care 
example used herein, these clients can be: physicians at their data terminal devices 
202; institutions, such as health care businesses, via their computer systems 280; and 
the like. 

The Dynamic Data Informed Consent system 1 01 functions to regulate the 
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exchange of proprietary consumer specific data among the plurality of clients served 
by the Dynamic Data Informed Consent system 101. The Dynamic Data Informed 
Consent system 101, in a typical embodiment, itself comprises one or more servers 
221 , 222 which interface the Dynamic Data Informed Consent system 1 01 to the data 
5 communication medium 201. The Dynamic Data Informed Consent system 101 can 
be viewed as a plurality of components, which can be implemented as an integrated 
facility or portions thereof can be outsourced to other vendors. For example, the data 
storage function can optionally be implemented within Dynamic Data Informed 
Consent system 101 as an Information Management System (IMS1), and the Public 

1 0 Key Infrastructure (PKI) can optionally be implemented within Dynamic Data Informed 
Consent system 101. The Information Management System (IMS1) includes a data 
storage manager 251 , administrator interface terminal 254 and its associated data 
storage devices 252, 253, which stores the proprietary consumer specific data. The 
core element of the Dynamic Data Informed Consent system 101 is the dynamic Data 

15 informed Consent Management system (DIC Management). The Public Key 
Infrastructure (PKI) comprises a subscriber manager 220 and a key management 
element 230, shared between the Data Informed Consent Management system (DIC 
Management) and the Public Key Infrastructure (PKI). in addition, the Public Key 
Infrastructure (PKI) includes a digital certificate processing element 240. 

20 The Data Informed Consent Management system (DIC Management) typically 

comprises one or more servers 221, 222 to manage interactions with the data 
communication medium 201 . The Data Informed Consent Management system (DIC 
Management) includes a consumer/client subscription module comprising the RA 
Control Center 225, an associated administrator data terminal device 226 and data 

25 storage elements 227. Similarly, a digital certificate module, comprising the CA 
Control Center 223, an associated administrator data terminal device 224 and data 
storage elements 228, is provided. Finally, the Data Informed Consent Management 
system (DIC Management) includes a data informed consent module 260, comprising 
DIC Control Center 261 , an associated administrator data terminal device 262 and 

30 data storage elements 263, 264. The operation of these elements is described below. 

Dynamic Data Informed Consent Transaction 
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For clients and consumers to be served by the Dynamic Data Informed Consent 
system 101, their identity must be verified and ensured in future transactions. This 
is typically accomplished by use of the well known paradigm of Digital Certificates. 
When a consumer or client wishes to avail themselves of the services of the Dynamic 
Data Informed Consent system 101, they establish a communication connection via 
data communication medium 201 to the Dynamic Data Informed Consent system 101 
and interconnect with servers 221 , 222. The Dynamic Data Informed Consent system 
101 then executes a script via RA Control Center 225 and certificate processing 
system 240, to identify the consumer/client and record their identity and set of 
permissions in the registration database stored in memory 227. The Dynamic Data 
Informed Consent system 101 in well known fashion issues a Digital Certificate via 
certificate processing system 240, which Digital Certificate is transmitted via servers 
221, 222 and data communication medium 201 to the customer/client to thereby 
authorize future access to the Dynamic Data Informed Consent system 101. 

When Digital Certificates are issued by the Dynamic Data Informed Consent 
system 101 to clients (Transacting Party A and Transacting Party B, both members 
of the class of clients shown in Figure 1), these parties can access the Dynamic Data 
Informed Consent system 101 to assure compliance with a consumer's dynamic data 
informed consent when accessing consumers' proprietary consumer specific data. 
The consumers are also provided with Digital Certificates, which they use to access 
the Dynamic Data Informed Consent system 101 to create the Data Informed Consent 
for the consumer's personal data. Thus, the consumer, via data communication 
medium 201, accesses the Dynamic Data Informed Consent system 101 and, in 
particular, the Data Informed Consent module 260 to create a Data Informed Consent 
file for the consumer's proprietary consumer specific data which is stored in informed 
consent database memory 263. This data informed consent data created by the 
consumer is the basis of empowering the clients to access, exchange and process the 
consumers' proprietary consumer specific data. It is apparent that the consumer can 
create the data informed consent data via the submission of a paper form, which is 
then input into the Dynamic Data Informed Consent system 101 by clerical staff. In 
either case, the data informed consent stored in Dynamic Data Informed Consent 
system 101 is the basis for the transactions described herein. 
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To follow the flow of a typical transaction involving personalized health data, 
consider the following example, which is illustrated in flow diagram form in Figures 3 
and 4. In a typical transaction, a Transacting Party A, such as a physician at data 
terminal device 202, wishes to send consumer-specific data stored in Information 
5 Management System IMS2 to Transacting Party B, such as the health care business 
served by computer system 280. Prior to this transaction, at step 301 A, Transaction 
Party A receives a Digital Certificate issued by the Dynamic Data Informed Consent 
system 101 and at step 301 B Transaction Party B receives a Digital Certificate issued 
by the Dynamic Data Informed Consent system 101 to thereby authorize their access 

10 to the proprietary consumer specific data managed by Dynamic Data Informed 
Consent system 101 . At step 302, Transaction Party A (the sender, often a provider) 
batches a plurality of customer billings for transmission to Transaction Party B (the 
recipient, often a payer), with attachments comprising proprietary consumer specific 
data stored in Information Management System IMS2, and/or requiring the 

15 Transaction Party B to access consumer medical history data stored in Information 
Management System IMS2. The data, regardless of application, is encrypted at step 
303 under the PKI, by the Transaction Party A with digital signature attached. The 
data is packaged (encrypted, digital signature attached, along with statement of 
purpose and description of data type) by the sender Transaction Party A at step 304. 

20 Under PKI security, the data package is routed at step 305 via data communication 
medium 201 or other suitable medium to the Dynamic Data Informed Consent system 
101. 

The Dynamic Data Informed Consent system 101 Certificate Processing 
module 240 verifies the authorization of Transaction Party A at step 306, and the 

25 validity of Transaction Party B as a client of the Dynamic Data Informed Consent 
system 101. The verified request is then reviewed at step 307 to ensure that the 
digital signature appended to the data is correct. The data package is then routed at 
step 308 through the Data Informed Consent module 260 to be processed. The 
received request is reviewed at step 309 as to content and use requested and 

30 compared to the permissions provided by the consumer's dynamic data informed 
consent stored in informed consent database 263. Should a transaction party be on 
the Certificate Revocation List (CRL), the transaction is refused by the Dynamic Data 



-18- 



WO 01/33936 



PCT/US00/41623 



Informed Consent system 101 at step 310 and a record kept of the attempt to access 
proprietary consumer specific data, and refusal to confirm/allow in transaction audit 
log 264. All transactions, once cleared through the Certificate/signature validation 
step 309, are routed through the Data Informed Consent module 260 which at step 

3 1 1 looks up the authorization status for each subject of the transaction data package. 
If each consumer has authorized each transaction party to receive or hold the 
consumer's proprietary consumer specific data, the transaction is fully cleared at step 

312 and the appropriate audit log entries are recorded at step 31 3 in transaction audit 
log 264. If one or more consumers has refused (revoked) disclosure authorization to 
either transacting party, or if one or more consumers have not specifically authorized 
either transacting party, proprietary consumer specific data for those consumers is 
made unreadable to the recipient at step 314, and the transaction only partially 
cleared at step 315. An audit log is kept of each transaction for each consumer. The 
cleared transaction is sent on to recipient, Transaction Party B, over the data 
communication medium 201 at step 31 6. The recipient uses its private key to "unlock" 
the cleared transaction data package at step 317 and subject the proprietary 
consumer specific data to further processing. Each consumer for whom the 
controlling entity holds Data Informed Consent proxy also receives a Digital Certificate 
for authentication for entry into the consumer's own Data Informed Consent file for 
changes, to see transaction audit trails, etc at step 318. 

In this example, there can optionally be a need to access proprietary consumer 
specific data which is stored in an Information Management System IMS2, which can 
be located external to the Dynamic Data Informed Consent system 101. In this case, 
the Dynamic Data Informed Consent system 101 must issue a Digital Certificate to the 
Information Management System IMS2 to enable the Transaction Party A and/or B to 
retrieve the consumers 1 proprietary consumer specific data and provide same to the 
Transaction Party B. 

If Transaction Party B had requested the proprietary consumer specific data 
from Transacting Party A (as opposed to Transaction Party A sending the data to 
Transaction Party B, such as in the present example whereby Party A, a provider, 
might be billing Party B, a payer, for services rendered to consumers), the Dynamic 
Data Informed Consent system 101 could easily be used to validate the request for 
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appropriate authorizations, though the transaction including "wrapped" data would 
also need to go through the Dynamic Data Informed Consent system 101 for final 
validation and audit trail construction. 
Information Management System Data Access Example 
5 There are numerous clients that can access the information management 

system IMS2. The block diagram of Figure 6 illustrates an access of Information 
Management System 2, absent the interposed function the Dynamic Data Informed 
Consent system 101 described above to regulate access to the proprietary consumer 
specific data. This description is intended to illustrate a typical implementation of an 

1 0 Information Management System IMS2 which can be cooperatively operative with the 
Dynamic Data Informed Consent system 101 as described above. 

The data accessing clients include health care providers at their terminal 
equipment or servers S1-Sm, institutions via their terminal equipment and servers 11- 
Ij, and the like. The various users each can use the communication network PTSN to 

1 5 access the information management system IMS and its analysis function based upon 
the predefined class of "users" which classes can include consumers, medical 
practitioners, health care providers, institutions, and the like. The database 400 is 
architected in a hierarchical manner to enable the users to access only the relevant, 
prepartitioned segment of the collected proprietary consumer specific data that the 

20 particular class of user is authorized to receive. Thus, the privacy of the proprietary 
consumer specific data is maintained by prohibiting access to this individual's 
proprietary consumer specific data except to users who are specifically authorized by 
the consumer. In addition, the granularity of the proprietary consumer specific data 
made available to the various classes of users is selected to prevent the users from 

25 deriving information about the consumer population that they are not entitled to 
receive. This access control is enforced by the use of a plurality of filters 403-406, 
each of which is architected to provide customized access to a selected one of the 
classes of users that can access the information management system IMS, as 
described below. 

30 Information Management System Architecture 

The information management system IMS comprises a database 400 that 
stores and manages the proprietary consumer specific data collected from the 
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consumers. The proprietary consumer specific data is typically stored in database 
400 on a mass storage system to enable the associated database processors to have 
efficient shared access to this data. The database processors include data 
processing algorithms 408 that operate on the proprietary consumer specific data that 
is collected from the individual consumers to produce additional data that is indicative 
of consumer specific or user specific statistics. 

Once acquired, the proprietary consumer specific data may serve a multitude 
of inquisitors. Assigning a user-access code to each class of inquisitor easily controls 
level of access and interpretation. The interpretation filters 404-406 are specific to 
each class of user-access code. The users who are entitled to access to the system 
are: 

Consumers who have registered 

Physician care-providers who are registered as subscribers 
Institutions who are registered as subscribers 

Each user is assigned an access code. The system database includes various 
data segments including, but not limited to: 
Raw data 

Demographic, user-specific data 

User access codes 
Database Management System 

The database management system that is operational on the database 400 
comprises analytical software that includes both the commercially available database 
software and custom software for the specific data analysis task. The software 
routines include but are not limited to: 

Access Code Recognit ion Software 401 - verifies that the inquiring user has 
an operative access code, confirms the code classification and routes the user's 
request to an Initial Output Filter 

Download Acceptance Software 402 - accepts data for storage in the 
database, places the received data in a buffer file until the received data can be 
screened and processed for inclusion in the database 

Initial Output Filter 403 - segregates the possible array of outputs as a function 
of access code and query. 
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Pattern Recognition Software 407 - an artificial intelligence routine that takes 
the elements of a pattern and compares the pattern against known patterns to 
produce an analysis result within certain confidence limits. 

Consumer Query Output Filter 404 - this routine delimits the nature of the 
output report to the consumer. 

Provider Query Output Filter 405 - this routine delimits the nature of the output 
report to the provider. 

Institution Query Output Filter 406 - this routine delimits the nature of the output 
report to the institution. 
Institution Query 

An example of the use of the information management system IMS is where an 
institution, such as a managed care company, seeks information regarding fertility 
status among a population of reproductive age women in the New York state area, 
where the company is considering offering coverage for infertility care. In order to 
assess the economics of such coverage, the institution needs accurate actuarial data 
on the type of fertility problems exist and the frequency of such problems. Figure 6 
illustrates the communication pathways that are used in the processing of an 
institution query to the information management system IMS, while Figure 7 illustrates 
in flow diagram form the operation of this information management system IMS. 

At step 701 the institution activates the telecommunications software resident 
in the institution's personal computer 500 to establish a communication connection to 
the Web Site Router 200 over a standard communication connection via path (a). 
Once so connected, the personal computer 500 identifies itself by transmitting the 
institution's Institution Access Code and a request for information to the information 
management system IMS. At step 702, the Web Site Router 200 receives the request 
and forwards the received query over path (b) to the database 400. At step 703, the 
database system 400 activates the access code recognition process 401 which 
compares the received institution access code data with institution data stored in the 
database 400 to verify the both the nature of the requesting party (institution) and the 
authorization of this institution to access the services and data provided by the 
database 400. Once the institution is validated, the access code recognition process 
401 forwards the received request over path (c) to the initial output filter 403. The 
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initial output filter 403 at step 704 determines the nature of the query, which can be 
a query that was selected from a set of standard queries or one constrained to a 
predefined format to ensure privacy of the consumer-specific data, and approves the 
generation of a demographic report to the institution. The is accomplished at step 705 
by transmitting the query that is received from the institution in the proper format to 
the Al Pattern Recognition Subroutines 407 via path (d). At step 706, the Al Pattern 
Recognition Subroutines 407 process the data resident in the Data Tables, Files and 
Records portion 408 of the database 400, which data is accessed via path (e). The 
data processing retrieves the demographic data and processes the raw data that is 
stored in the database 400 and the Al Pattern Recognition Subroutines 407 produces 
a result that typically comprises a set of composite statistics. At step 707, the Al 
Pattern Recognition Subroutines 407 transmits this information via path (f) to the 
Institution Query Output Filter 406 which at step 708 determines the proper formatting 
and additional data that is needed to produce a report for the institution. As part of 
this process, the Institution Query Output Filter 406 verifies that the data retrieved is 
not consumer-specific or of such limited scope as to compromise the privacy of the 
consumer-specific data. This process includes a determination of the size of the 
sample cohort, its respective size with respect to the overall target population, the 
topic areas that this institution is authorized to access, the specifics of the query, and 
the like. At step 709, the Institution Query Output Filter 406 transmits this final report 
via path (g) to the Web Site Router 200 which forwards the report at step 71 0 to the 
institution's personal computer 600 via path (h) for viewing. 
Data Download Validation 

In order to ensure the integrity of the data that is stored in the database 400, 
the information management system IMS includes a download acceptance process 
402 that receives data that is transmitted to the information management system IMS 
and stores the data via path (x) in a temporary file termed "data on hold 409" until the 
data can be validated. The validation process comprises a review of the format and 
content of the data to prevent bogus data from corrupting the integrity of the database 
400. In particular, the user identification information as well as the associated data 
is screened for data usability and associated demographic information. The proper 
formatting of the data is verified and then the received data is stored in the data on 
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hold file 409. Once the data stored in this file is reviewed by either information 
management system IMS personnel and/or further validation software, it is 
downloaded via path (y) to the permanent data repository of data tables, files and 
records 408 where it is incorporated into the existing population of data. 
5 Domain Definition for the Dynamic Data Informed Consent System 

Figure 5 illustrates in block diagram form the structure of the Dynamic Data 
Informed Consent Domain. In particular, the correspondence among the various data 
elements in the Dynamic Data Informed Consent system is illustrated. Thus, the 
consumer has a one to one mapping to a Data Informed Consent, since the Dynamic 

1 0 Data Informed Consent system maintains a single Data Informed Consent for each 
consumer. The Data Informed Consent is mapped to up to n clients, although at any 
time there may be no clients authorized under the consumer's Data Informed Consent. 
Similarly, the consumer has a one to one correspondence to an audit trail file 
maintained by the Dynamic Data Informed Consent system. The audit trail file is 

1 5 mapped to up to n Data Informed Consent Updates, although at any time there may 
be no Data Informed Consent Updates authorized under the consumer's Data 
Informed Consent. The Data Informed Consent Updates are mapped to up to n 
clients, although at any time there may be no clients authorized under the consumer's 
Data Informed Consent Updates. The consumer's audit trail file is mapped to up to 

20 n Health Information Transactions, although at any time there may be no Health 
Information Transactions authorized under the consumer's Data Informed Consent. 
Similarly, each Health Information Transaction is mapped to up to n transmitting and 
n receiving clients, although at any time there may be no clients authorized under the 
consumers Data Informed Consent. 

25 Client Use Cases 

Client use cases are uses that may require internal dynamic Data Informed 
Consent controls. In these instances, each consumer, via the Dynamic Data Informed 
Consent system's Data Informed Consent mechanism, has authorized a health care 
company (e.g., a hospital) to use their proprietary consumer specific data internally. 

30 In a hospital setting, uses may include sending clinical laboratory or X-ray data to the 
patient's record, compilation of admission, discharge and transfer (ADT) data for 
billing purposes (ICD-9 and CPT codes), sending clinical data for in-house pharmacy 
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use, providing clinical data to and for exchange among treating physicians under 
hospital contract, etc. Other examples in which internal data exchange might be 
covered with transaction-by-transaction Data Informed Consent management include 
those entities that provide partially or fully integrated health care delivery (e.g., when 
a physician group owns a hospital and associated laboratory, surgical center, clinic, 
etc., under the umbrella of a single business entity; or a fully integrated [payer + 
provider] entity). 

In all circumstances, Data Informed Consent is a given, though internal 
granularity of authorized data movement may be governed under a broader Data 
Informed Consent, together with a PKI/Digital Certificate set of controls and with 
appropriate security/privacy policy and procedures. Also, any proprietary consumer 
specific data transferred out of the entity to any other party would automatically default 
to full PKI/Data Informed Consent compliance monitoring by the Dynamic Data 
Informed Consent system's external, Web-based system. 

Different levels of authorization are likely to be operative in the integrated 
delivery environment. For example, separate Digital Certificate and Data Informed 
Consent constraints might be applied to: Provider to provider exchange of clinical 
data; Other client company personnel processing of personalized health care data; 
New uses of data such as outcome research or pharmacy benefits analysis. 
Uses That Involve Dynamic Data Informed Consent Controls 

When personalized health care data is exchanged between independent 
business entities (e.g., a hospital sending patient billing to a payer or fiscal 
intermediary), both businesses are required to be in compliance with the 
privacy/security law. The Dynamic Data Informed Consent system's Data Informed 
Consent manages the traffic on the PKI by checking data for Data Informed Consent 
compliance as it is routed through the Dynamic Data Informed Consent system Data 
Center. The actual processing performed by the Data Informed Consent module is 
transparent to the transacting parties (provider and payer). Each of them uses the 
Dynamic Data Informed Consent system PKI and their respective Digital Certificate's 
to package, encrypt and then unlock the data. Data Informed Consent management 
takes place en route. 

Other Uses of Dyna mic Data Informed Consent Controls bv Clients 
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Personalized health care data may legitimately be used outside the scope of 
health care operations for research, for market assessment, for direct marketing, for 
public health reporting, for law enforcement purposes, for quality assessment of care 
delivery, etc. Aside from public health reporting and law enforcement where separate 
disclosure is mandated by law, every use of personalized health data beyond the 
context of healthcare operations must be sanctioned (authorized) by those to whom 
the data pertains. The Dynamic Data Informed Consent system accommodates these 
special use cases via its dynamic Data Informed Consent offering. 
The Dynamic Data Informed Consent System Administrati ve Use Cases 

Typical examples of the use of the Dynamic Data Informed Consent system 
include, but are not limited to the functions listed herein: 

Enroll and authenticate consumer 

Verify Data Informed Consent status 

Issue Digital Certificate to consumer (in conjunction with Data Informed 
Consent) 

Assist consumer with Data Informed Consent changes 

Periodically verify consumer information 

Renew consumer Data Informed Consent 

Service data access and audit trail requests by consumer 

Obtain, on customer's behalf, customer's data held by others 

Service audit log access requests by client companies 

Authenticate client companies 

Issue Digital Certificates (and sub-certificates) to clients and their employees 
Verify client companies' authorized access to consumer information 
Consumers' Component 

The consumer's component of the Data Informed Consent application is 
installed in a manner similar to common consumer applications for personal 
computers. Default values for all installation parameters are provided to effect a 
correct installation on a personal computer with sufficient disk space, an Internet 
connection, and no other application programs running on the computer at the time 
of installation. 

A program for uninstalling the Data Informed Consent application is also 
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installed on the personal computer during the Data Informed Consent application's 

installation. The consumer is able to remove the Data Informed Consent application 

from the computer using this program. 

If, for some reason, the installation of the Data Informed Consent application 

is unsuccessful (if, for example, there is insufficient disk space), the installation 

program removes all installed and partially installed components of the Data Informed 

Consent application from the computer. 

Client Workers' Component 

The client workers' component of the PKI/Data Informed Consent application 
is installed in a manner similar to common business-office software. It is possible for 
system administrators to install the application on workers' computers from a central 
server, or on the target computer directly. Installation and uninstallation may require 
administrative privileges. 

Summary 

The Dynamic Data Informed Consent system enables consumers to govern the 
flow of their personal data regardless of the nature of the information. The consumer 
can define a set of data access rules which designate the client companies who have 
access to the consumer's personal data and the particular segments of that personal 
data to which each client company is entitled. The Data Informed Consent is dynamic 
in that the consumer can use their Digital Certificate at any time to access and modify 
their Data Informed Consent provided to the Dynamic Data Informed Consent system. 
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What is Claimed: 

1. An interactive information management system for regulating users 1 
access to proprietary consumer specific data, comprising data that relates to each of 
a plurality of consumers, where said proprietary consumer specific data is stored in 
a data storage system, comprising: 

means for storing dynamic data informed consent data, comprising a set of 
rules which govern a transaction environment for the exchange of proprietary 
consumer specific data by and among users; and 

means for authorizing an accessing user to receive dynamic data informed 
consent access to said proprietary consumer specific data. 

2. The interactive information management system of claim 1 further 
comprising: 

means, responsive to a consumer accessing said interactive information 
management system, for generating for said consumer dynamic data informed 
consent data comprising a set of rules which govern a transaction environment for the 
exchange of proprietary consumer specific data by and among users. 

3. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

means for informing said consumer that there is the possibility of collection of 
proprietary consumer specific data relating to said consumer. 

4. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

means for enabling said consumer to prevent collection, disclosure or 
exchange of said proprietary consumer specific data relating to said consumer. 

5. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

means for informing said consumer how said proprietary consumer specific 



-28- 



WO 01/33936 



PCT/US00/41623 



data, relating to said consumer and stored in said data storage system is expected to 
be used; and 

means for instructing said consumer how to restrict use of said proprietary 
consumer specific data, relating to said consumer and stored in said data storage 
system. 

6. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

security means for informing said consumer of the extent to which said 
proprietary consumer specific data, relating to said consumer and stored in said data 
storage system is protected. 

7. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

consumer correction means for enabling a consumer to correct inaccuracies 
in said proprietary consumer specific data, relating to said consumer and stored in 
said data storage system. 

8. The interactive information management system of claim 2 wherein said 
means for generating comprises: 

means for generating a digital certificate to enable said consumer future access 
to said interactive information management system. 

9. The interactive information management system of claim 1 wherein said 
means for providing dynamic data informed consent access comprises: 

means for enabling a consumer to authorize at least one user to access 
proprietary consumer specific data, relating to said consumer and stored in said data 
storage system. 

1 0. The interactive information management system of claim 1 wherein said 
means for providing dynamic data informed consent access comprises: 

means, responsive to a user requesting access to proprietary consumer 
specific data, relating to an identified consumer and stored in said data storage 
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system, for determining an identity of said user; 

means for comparing said identity with said dynamic data informed consent 
data to verify said user's authority to access said proprietary consumer specific data, 
relating to an identified consumer and stored in said data storage system; and 
5 means for generating a digital certificate which identifies said user and defines 

limits of said user's authority to access and use said proprietary consumer specific 
data, relating to an identified consumer and stored in said data storage system. 

11. The interactive information management system of claim 1 further 
10 comprising: 

means for tracking user access to and exchange of sajd proprietary consumer 
specific data, relating to an identified consumer and stored in said data storage 
system. 

1 2. The interactive information management system of claim 1 wherein said 
means for providing dynamic data informed consent access comprises: 

means for enabling a user to input a query relating to proprietary consumer 
specific data, relating to said consumer and stored in said data storage system; and 
means, responsive to said input query, for blocking intrusive access to said 
proprietary consumer specific data, relating to said consumer and stored in said data 
storage system, by said user inputting said query. 

13. The interactive information management system of claim 12 wherein 
said means for blocking intrusive access comprises: 

25 a plurality of input filters, each of which functions to provide limits to a quantity 

and content of proprietary consumer specific data, relating to said consumer and 
stored in said data storage system. 

1 4. The interactive information management system of claim 1 wherein said 
30 data storage system is located external to said interactive information management 

system and accessible via electronic communication means. 
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1 5. The interactive information management system of claim 1 wherein said 
data storage system is a part of said interactive information management system. 

16. The interactive information management system of claim 15 wherein 
5 said data storage system comprises: 

electronic database means for storing said proprietary consumer specific data. 

17. The interactive information management system of claim 15 wherein 
said data storage system includes a set of paper records. 

10 

18. A method of operating an interactive information management system 
for regulating users' access to proprietary consumer specific data, comprising data 
that relates to each of a plurality of consumers, where said proprietary consumer 
specific data is stored in a data storage system, comprising: 

15 means for storing dynamic data informed consent data, comprising a set of 

rules which govern a transaction environment for the exchange of proprietary 
consumer specific data by and among users; and 

means for authorizing an accessing user to receive dynamic data informed 
consent access to said proprietary consumer specific data. 

20 

1 9. The method of operating an interactive information management system 
of claim 18 further comprising: 

means, responsive to a consumer accessing said interactive information 
management system, for generating for said consumer dynamic data informed 
25 consent data comprising a set of rules which govern a transaction environment for the 
exchange of proprietary consumer specific data by and among users. 

20. The method of operating an interactive information management system 
of claim 19 wherein said means for generating comprises: 

30 means for informing said consumer that there is the possibility of collection of 

proprietary consumer specific data relating to said consumer. 
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21 . The method of operating an interactive information management system 
of claim 19 wherein said means for generating comprises: 

means for enabling said consumer to prevent collection, disclosure or 
exchange of said proprietary consumer specific data relating to said consumer. 

5 

22. The method of operating an interactive information management system 
of claim 19 wherein said means for generating comprises: 

means for informing said consumer how said proprietary consumer specific 
data, relating to said consumer and stored in said data storage system is expected to 
10 be used; and 

means for instructing said consumer how to restrict use of said proprietary 
consumer specific data, relating to said consumer and stored in said data storage 
system. 

1 5 23. The method of operating an interactive information management system 

of claim 19 wherein said means for generating comprises: 

security means for informing said consumer of the extent to which said 
proprietary consumer specific data, relating to said consumer and stored in said data 
storage system is protected. 

20 

24. The method of operating an interactive information management system 
of claim 19 wherein said means for generating comprises: 

consumer correction means for enabling a consumer to correct inaccuracies 
in said proprietary consumer specific data, relating to said consumer and stored in 
25 said data storage system. 

25. The method of operating an interactive information management system 
of claim 19 wherein said means for generating comprises: 

means for generating a digital certificate to enable said consumer future access 
30 to said interactive information management system. 

26. The method of operating an interactive information management system 
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of claim 1 8 wherein said means for providing dynamic data informed consent access 
comprises: 

means for enabling a consumer to authorize at least one user to access 
proprietary consumer specific data, relating to said consumer and stored in said data 
5 storage system. 

27. The method of operating an interactive information management system 
of claim 1 8 wherein said means for providing dynamic data informed consent access 
comprises: 

10 means, responsive to a user requesting access to proprietary consumer 

specific data, relating to an identified consumer and stored in said data storage 
system, for determining an identity of said user; 

means for comparing said identity with said dynamic data informed consent 
data to verify said user's authority to access said proprietary consumer specific data, 
15 relating to an identified consumer and stored in said data storage system; and 

means for generating a digital certificate which identifies said user and defines 
limits of said user's authority to access and use said proprietary consumer specific 
data, relating to an identified consumer and stored in said data storage system. 

20 28. The interactive information management system of claim 18 further 

comprising: 

means for tracking user access to and exchange of said proprietary consumer 
specific data, relating to an identified consumer and stored in said data storage 
system. 

25 

29. The interactive information management system of claim 1 8 wherein 
said means for providing dynamic data informed consent access comprises: 

means for enabling a user to input a query relating to proprietary consumer 
specific data, relating to said consumer and stored in said data storage system; and 
30 means, responsive to said input query, for blocking intrusive access to said 

proprietary consumer specific data, relating to said consumer and stored in said data 
storage system, by said user inputting said query. 
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30. The method of operating an interactive information management system 
of claim 28 wherein said means for blocking intrusive access comprises: 

a plurality of input filters, each of which functions to provide limits to a quantity 
and content of proprietary consumer specific data, relating to said consumer and 
stored in said data storage system. 

31 . The method of operating an interactive information management system 
of claim 18 wherein said data storage system is located external to said interactive 
information management system and accessible via electronic communication means. 

32. The method of operating an interactive information management system 
of claim 18 wherein said data storage system is a part of said interactive information 
management system. 

33. The method of operating an interactive information management system 
of claim 31 wherein said data storage system comprises: 

electronic database means for storing said proprietary consumer specific data. 

34. The method of operating an interactive information management system 
of claim 31 wherein said data storage system includes a set of paper records. 
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